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Abstract. Biometric identity-based encryption (Bio-IBE) is a kind of 
fuzzy identity-based encryption (fuzzy IBE) where a ciphertext encrypted 
under an identity w' can be decrypted using a secret key corresponding to 
the identity w which is close to w' as measured by some metric. Recently, 
Yang et al. proposed a constant-size Bio-IBE scheme and proved that it 
is secure against adaptive chosen-ciphertext attack (CCA2) in the ran- 
dom oracle model. Unfortunately, in this paper, we will show that their 
Bio-IBE scheme is even not chosen-plaintext secure. Specifically, user w 
using his secret key is able to decrypt any ciphertext encrypted under 
an identity w' even though w is not close to w' . 

Keywords: Cryptanalysis; Biometric identity-based encryption; Chosen- 
ciphertext secure; Chosen-plaintext secure 



1 Introduction 

To simplify the certificate management in traditional public key infrastructure, 
Shamir [T] first introduced the concept of identity-based cryptography in 1984. 
In this scenario, a user's public key is derived from his identity, e.g., his e-mail 
address, and his secret key is generated by a trusted third party called private 
key generator (PKG) who has knowledge of a master secret key. In 2001, the 
first two practical identity-based encryption (IBE) schemes were presented in [2] 
and [3J, respectively. 

The notion of fuzzy identity-based encryption (fuzzy IBE) was introduced by 
Sahai and Waters [I] in 2005, where each identity is viewed as a set of descriptive 
attributes. A fuzzy IBE scheme is very similar to a standard IBE scheme except 
that a ciphertext encrypted under an identity w' can be decrypted using the 
secret key associated with the identity w which is close to w' as judged by some 
metric. The error-tolerance property of fuzzy IBE enables biometric attributes to 
be used in a standard IBE scheme. In 2007, Burnett et al. [5] proposed the first 
biometric identity-based signature (Bio-IBS) scheme, where they used biometric 
information to construct the identity of a user. The first biometric identity-based 
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encryption (Bio-IBE) scheme was proposed by Sarier [B] in 2008. It absorbed the 
advantage of Burnett et al.'s Bio- IBS scheme. Subsequently, Sarier [7j presented 
an improved Bio-IBE scheme which is secure against a new type of denial of 
service attack. Recently, Yang et al. [5] presented a constant-size Bio-IBE scheme 
and proved that it is secure against adaptive chosen-ciphertext attack (CCA2) 
in the random oracle model. Unfortunately, in this paper, we will show that their 
scheme is even not chosen-plaintext secure. 

The rest of this paper is organized as follows. Section 2 introduces some 
preliminaries required in this paper. In Section 3, we review Yang et al.'s Bio- 
IBE scheme. In section 4, we present an attack on their Bio-IBE scheme. Finally, 
we conclude the paper in Section 5. 

2 Preliminaries 

2.1 Bilinear pairing 

Let G and Gt be two groups with the same prime order p. A map e:GxG-> Gt 
is called a bilinear map if it satisfies the following three properties. 

1. Bilinearity: For all a,b £ Z p and u, v £ G, we have e(u a , v b ) = e(u, v) ab . 

2. Non-degeneracy: There exists u,v £ G such that e(u,v) / 1. 

3. Computability: There is an efficient algorithm to compute e(u, v) for any 
!i,»eG. 

2.2 Biometric identity-based encryption 

As mentioned above, a Bio-IBE scheme is essentially a fuzzy IBE scheme, with 
the only difference that it uses a set of biometric attributes as a user's identity. 
Therefore, a Bio-IBE scheme also consists of the following four algorithms [J]: 

— Setup: Given a security parameter k, the PKG generates a master secret 
key MSK and the public parameters PP which contains a threshold d. The 
PKG publishes the public parameters PP and keeps the master key MSK 
secret. 

— Extract: Given the public parameters PP, the master secret key MSK 
and a user's biometric attribute set w = (fi\, ■ ■ ■ ,(J, n ), the PKG generates a 
secret key sk w for the user. 

— Encrypt: On input the public parameters PP, & message m and a user's 
biometric attribute set w' — (/i' l7 • • • , fi' n ), it returns a ciphcrtext C . 

— Decrypt: On input the public parameters PP, a secret key sk w correspond- 
ing to the user w, and a ciphertext C encrypted under the set of attributes 
w' , it outputs the message if and only if \w' f] w\ > d. 

The security notion for Bio-IBE proposed by Yang et al. [5] is indistinguisha- 
bility of ciphertext under adaptive chosen ciphertext attack (IND-sID-CCA2). A 
weaker security notion proposed in [3] is indistinguishability of ciphertext under 
chosen plaintext attack (IND-sID-CPA). Its formal definition is based on the 
following game played between a challenger C and an adversary A. 



— Init. The adversary A outputs a target attribute set w' — (/z^, • • • , p/ n ). 

— Setup. The challenger C runs the Setup algorithm and sends the system 
parameters PP to the adversary A. 

— Phase 1. The adversary A adaptively delivers secret key extraction queries 
on many attribute sets Wi, where < d for all i. The challenger C 
runs the Extract algorithm to obtain a private key sk Wi for each and 
sends the result to A. 

— Challenge. The adversary A submits two equal length messages mo and 
mi- The challenger C picks a random bit b £ {0, 1} and encrypts mb under 
w' . Then C sends the ciphertext to A. 

— Phase 2. The adversary A issues additional secret key extraction queries as 
in Phase 1. 

— Guess. The adversary A outputs a guess b' of b and wins if 6' = b. 

The advantage of an adversary A in this game is defined as \Pr[b' = b] — 1/2 1. 
Definition 1. A Bio-IBE scheme is IND-sID-CPA secure if there is no polynomial- 
time adversary that succeeds in the above game with a non-negligible advantage. 

2.3 Fuzzy Extraction 

Fuzzy extraction process is essential for many Bio-IBE schemes such as |6l7l8j . 
Let M. = {0, l} fc be a finite dimensional metric space with a distance function 
dis : M. x M — > Z + . An (A4,l,t) fuzzy extractor consists of the following two 
functions Gen and Rep: 

— Gen: This function takes as input a biometric template b S Ai. It outputs 
an identity ID e {0, 1}' and a public parameter PAR. The biometric tem- 
plate b is unique for each user since it is a concatenation of user's biometric 
attributes. 

— Rep: This function takes as input a biometric template b 1 G M. and the 
public parameter PAR. It outputs the identity ID if dis(6, b 1 ) < t. In other 
words, we can obtain the same identity ID as long as b' is "close" to b. 

For two biometric attribute sets w and w' , we assume that dis(6, b') < t if 
Iw'HH ^ d and thus we have ID = ID 1 , where (b,ID) and {b',ID') are 
extracted from w and w' , respectively. 

3 Review of Yang et al.'s Bio-IBE scheme 

Let Ai t s(x) — Ylj e s j^i ipf denote the Lagrange coefficient for ieZ* and a set 
5 of elements in Z*. The Yang et al.'s Bio-IBE [5] is specified as follows. 
Setup: Given a security parameter k, the PKG does: 

1. Choose two groups G and Gt with the same prime order p, a bilinear map 
e:GxG-> Gt and a generator g of G. 

2. Select two hash functions H : b ->• {0, 1}* and H x : Z* x {0, 1}* -> Z*. 



3. Pick sgZ* and g\ £ G uniformly at random, and set g 2 — g s . 

4. The public parameters are PP — (G, Gt, e, g, g%, g 2 , -ff, -Hi) arid the master 
key is s. 

Extract: Given a user's biometric attribute set w = (fii, ■ ■ ■ , the PKG 
does: 

1. Compute ID = H(b) and PAR = Gen (6), where b is a concatenation of each 
Hi (1 < i < n). 

2. Choose a random d — 1 degree polynomial q(x) € Z*[x] such that g(0) = s. 

3. For each i € [n], compute d iA = (g x ■ g Hi(iD)^(^) and di % = g q{^) _ 

4. Send the private key sk w = di^^ew to the user and publish PAR. 

Encrypt: On input the public parameters PP, a message m G Gt and an 
identity 11/ = (fj,[, ■ ■ ■ , fi^), the sender does: 

1. Get the public parameter PAR of the receiver and compute ID' = Rep(6', PAR), 
where b' is a concatenation of each ^ (1 <i <n). 

2. Choose r£Z* uniformly at random. 

3. Compute d = g r , C 2 = {g Hl(ID ' ] ) r and C 3 = m ■ e(g 1 ,g 2 ) r . 

4. Send & = (w',C 1 ,C 2 ,C 3 ). 

Decrypt: To decrypt the ciphertext C encrypted under the attribute set 
w', a user with attribute set w satisfying \w' p| w\ > d docs: 

1. Choose an arbitrary set S C w' f] w such that |5| = d. 

2. Compute m = 63 • -) £i ^- 
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The Decrypt algorithm works since ID = ID' when \w' f] w\ > d and 



c. 



= C* 



C 3 



e(3 r ,n, ie 5(3i-5 ffl(/D) )^ M - s(0) ) 
e(g H ^ ID '> r ,g s ) 

e(g r ,(gi-g Hl(ID) ) s ) 



m ■ e(gi,g 2 ) 



e(.9M3i-5 Hl(/D) ) r ) 

= m- e ( 5 i, P T/e(5 s ,(5i) r ) 
= m 

Remark. Compared to the scheme in [8], there is a small (but important) mod- 
ification in the above scheme. Namely, we use Hi(ID) (resp. H±(ID')) instead 
of Hi(w,ID) (resp. H\(w' ,ID')). We know that, for two random strings w and 



w' , Hi(w,ID) — Hi(w' , ID) cannot be true in general. Therefore, the original 
Decrypt algorithm in [5] may fail. In our modified scheme, the Decrypt algo- 
rithm will work since Hx{ID) = Hi(ID') when |w'fH > d. In fact, Hi(ID) 
plays the same role as Hi(w, ID) in this scheme. 

4 The proposed attack 

Yang et al. [5] proved that their scheme is IND-sID-CCA2 secure in the random 
oracle model. However, in this section, we show that their scheme is even not 
IND-sID-CPA secure. Assume that the target attribute set is w' = • • • , fi' n ). 
A polynomial time adversary A attacks Yang at al.'s Bio-IBE scheme as follows: 

1 . In the Setup phase, the adversary A obtains the system parameters PP from 
a challenger C. 

2. In Phase 1, the adversary A makes a secret key extraction query on an 
attribute set w, where |u>'P|u>| < d. The challenger C runs the Extract 
algorithm to obtain a private key sk w for w and sends the result to A. 

3. In Challenge phase, A submits two equal length messages tuq and mi. The 
challenger C picks a random bit b 6 {0, 1} and runs algorithm Encrypt(m&, w') 
to obtain a ciphertext C' b . Then C sends C' h to A. 

4. In Phase 2, A docs not issue any query. 

5. Let sk w = {di,i,di, 2 )^e w = ((91 ■ 9 Hl{ID) ) q{ ^ ] , 9 q{fu) )^e w - Upon receiving 
the ciphertext C' b = (w', Ci, C 2 , C 3 ) = (V, g r , (g Hl(ID ">) r , m b ■ e{g x , g 2 ) r ), A 
determines the bit b by performing the following steps: 

(a) For each € w, compute g\^^ — di t i/ 'df^^ '■ 

(b) Select an arbitrary set S C w such that 151 = d. 

(c) Output m b = C s /(n iHe8 e(Ci,gp H Y' ,t ' m )- 
We can verify its correctness as follows: 

Cs 

Yl^s^gl^V^ 
_ m b ■ e(g 1 ,g 2 ) r 

n^se(9 r ,gl im) ) A ^ M0) 
= m b ■ e(gi,g 2 ) r 

e(g r ,gi) s 
= m b ■ e(g!,g s ) r 
e{gi,g r ) s 

= m b 

It's clear that Yang et al.'s Bio-IBE scheme is broken. That is their scheme 
is not chosen-plaintext secure. Notice that, in a Bio-IBE scheme, a user with 
identity w of course can decrypt ciphertexts encrypted under identity w' using 
his secret key ii\w' {~\w\ > d. Form the above attack, we know that a user with 



identity w can also decrypt ciphertexts encrypted under identity w' using his 
secret key even though i// C| w < d. Consequently, a valid user can decrypt 
any ciphertext encrypted under any identity using his secret key in Yang et al. 
scheme. 

5 Conclusion 

Recently, Yang et al. [5] proposed a constant-size Bio-IBE scheme and proved 
that it is adaptively chosen-ciphertext secure in the random oracle model. In this 
paper, however, we have indicated that their scheme is even not chosen-plaintext 
secure. 
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